[unisog] AUPs re FTP and Telnet

Kevin Lanning wrote:
> Would appreciate references to Appropriate Use Policies regarding
> restriction of FTP and Telnet.
Here's one general approach, speaking as the person who (before becoming a
consultant) used to be in charge of security policy for a public sector
entity (tens of thousands of employees, similar numbers of Internet
connected devices, thousands of servers, millions of constituents).
Before deploying [service], identify AND DOCUMENT major threat vectors and
assess the overall risk to the organization (decide whether you want this
to be internally or externally). Justify, to the satisfaction of the
[person/entity] responsible for the security of the
[unit/department/college/university], accepting these risks based on the
value provided by providing [service]. Appropriate ways to shift some
portion of the cost of responding to an incident to the responsible
parties, such as [billing response time/fine/public flogging/etc].
This general formula works really well and improves over time, as the
responsible parties gain experience and expertise in security assessment.
Major elements that will make this work:
1) Documentation trail must exist
2) Risk assessment must occur prior to deployment of new service
3) Justification to an neutral third party is involved
4) Consequences of security failure go to the "right" parties.
Stock documentation will quickly exist for common services, especially if
you keep an online archive.
You don't need flowery language or a complicated policy stance. Keep it
simple and readable.
Even in the absence of central control, using this in a self-enforced
method leads to real improvements over time.
-Bill
--
William Yang
wyang at gcfn.net